v0.1.4

See CHANGELOG.md for details. Tarball is built reproducibly in CI from a05379d7461d11627391bd1d9d3863cffbbcc2aa.

v0.1.3

See CHANGELOG.md for details. Tarball is built reproducibly in CI from 58cd60de34bdf6d652a17dbd6eebac3efb3f0d2c.

v0.1.2

See CHANGELOG.md for details. Tarball is built reproducibly in CI from 4bb767e9930cbeb9cb1f1e75477ce37385f422ae.

v0.1.1: security hardening release

v0.1.1: security hardening release

This is a patch release on top of v0.1.0. No new features. No API or
configuration changes. The binary, the TOML schema, the systemd unit,
and the BPF program names are all source-compatible with v0.1.0 - an
upgrade-in-place is safe.

What changed

A three-round red-team review of the v0.1.0 source closed 26 findings
(KR-01..KR-26). None were exploited in the wild; the project had no
production users at v0.1.0 release. The fixes are documented in
CHANGELOG.md and fall into four
buckets:

• BPF integrity defaults. Strict-mode is on by default; an empty
  build-time hash refuses to load; the preflight checker warns when the
  BPF directory is not root-owned or is group-/world-writable.
• Webhook SSRF surface. Loopback, RFC1918, link-local, IPv4-mapped
  IPv6, inet_aton shortcuts (https://0x7f000001,
  https://2130706433), and percent-encoded hosts are all refused;
  redirect-following is off; inflight POSTs are capped via a
  tokio::sync::Semaphore.
• State-store bounds and eviction. Rate-limiter, dedup, and
  adaptive baseline tables are bounded with sample-of-K approximate
  LRU eviction; anomaly scoring requires a minimum bucket sample
  count; LSM allowlist refuses entries longer than TASK_COMM_LEN;
  the correlation-id is UUID v4 (no host-time leak).
• Output and self-protection hygiene. systemd splits read-only
  bpf/ from writable state/; selfprotect emits an alert per
  denied kill; path-traversal heuristic in fim / cred requires a
  real parent-directory token; plain-text output escapes ANSI plus
  Unicode bidi / format / line-separator codepoints; selfprotect
  resolves the daemon's host TGID via NSpid: so the LSM block stays
  correct in PID namespaces.

Plus the post-v0.1.0 polish that had been queued in [Unreleased]:
tokio::AsyncFd-driven ring buffers (alert latency floor of a few
microseconds instead of up to 100 ms), Cow<'static, str> for
detector identity (three fewer allocations per emitted alert), and
the runtime::TracepointDetector builder collapse.

Verifying the tarball

curl -fsSLO https://github.com/ferithtools/kernelradar/releases/download/v0.1.1/kernelradar-0.1.1-linux-x86_64.tar.gz
EXPECTED=$(curl -fsSL https://raw.githubusercontent.com/ferithtools/kernelradar/v0.1.1/release-checksums/v0.1.1/kernelradar-0.1.1-linux-x86_64.tar.gz.sha256 | awk '{print $1}')
ACTUAL=$(sha256sum kernelradar-0.1.1-linux-x86_64.tar.gz | awk '{print $1}')
[ "$EXPECTED" = "$ACTUAL" ] || { echo "TAMPERED, do not install"; exit 1; }
tar -xzf kernelradar-0.1.1-linux-x86_64.tar.gz
cd kernelradar-0.1.1-linux-x86_64
sha256sum -c SHA256SUMS
./install.sh
sudo systemctl enable --now kernelradar

Outer SHA-256: afaf7156f3dce442e647ffd2b65d64fce31ccf8d467eeba1836ee7c0d2eba52f

The tarball was built reproducibly from
6902e54
on a Linux x86_64 host with kernel >= 6.1, clang 14, libbpf 1.8, Rust
1.95. CI on that commit is 5/5 green.

Compatibility

Same as v0.1.0: Linux 6.1+, libbpf 0.8+ (via Aya 0.13), Rust stable.
Tested on Debian 12 with kernel 6.13.9.

v0.1.0: first public preview

kernelradar v0.1.0 — first public preview

Behavioral anomaly detection for the Linux kernel via eBPF — single
Rust binary, no Kubernetes, no SaaS, no telemetry leaving the host.

Quick install (Linux x86_64)

curl -fsSLO https://github.com/ferithtools/kernelradar/releases/download/v0.1.0/kernelradar-0.1.0-linux-x86_64.tar.gz

# Verify against in-tree SHA-256 pin (anti-tamper).
EXPECTED=$(curl -fsSL https://raw.githubusercontent.com/ferithtools/kernelradar/v0.1.0/release-checksums/v0.1.0/kernelradar-0.1.0-linux-x86_64.tar.gz.sha256 | awk '{print $1}')
ACTUAL=$(sha256sum kernelradar-0.1.0-linux-x86_64.tar.gz | awk '{print $1}')
[ "$EXPECTED" = "$ACTUAL" ] && echo OK || { echo "TAMPERED — do not install"; exit 1; }

tar -xzf kernelradar-0.1.0-linux-x86_64.tar.gz
cd kernelradar-0.1.0-linux-x86_64
sha256sum -c SHA256SUMS    # verify each shipped file
./install.sh
sudo systemctl enable --now kernelradar
journalctl -u kernelradar -f -o cat

SHA-256

7fbf0d5c7b2f68bab6404d4aa64ec14482e688f112851fe84b3091596cfacf35  kernelradar-0.1.0-linux-x86_64.tar.gz

What's in this release

See CHANGELOG.md:
8 detectors, adaptive baseline, BPF integrity check, opt-in LSM
enforcement, journald/Prometheus/webhook/Falco outputs, full
pre-publication security audit (H-1..H-4, M-1..M-8).

Performance (measured)

On the lowest-spec officially-supported hardware (Celeron J4125 @ 2.0
GHz, 8 GB DDR4, kernel 6.13.9):

Metric	Value
Sustained event rate	321 000 events/sec
Idle RSS	65–80 MB
RSS peak under burst (then returns to idle)	136 MB
Memory growth post-burst	0 bytes
Graceful shutdown	641 ms

Known limitations

• IPv4-only network detector (T-12.4, IPv6 in v0.2)
• LSM enforcement requires lsm=...,bpf in kernel cmdline
• kr_stats BPF counters readable via bpftool map dump but not
  yet through the Prometheus endpoint (T-12.3, in v0.2)
• No Debian/RPM packages yet (planned v0.2)

Security

Vulnerabilities → private channel only, see
SECURITY.md.